Dyn issues analysis of ‘complex and sophisticated’ cyberattacks

Company identifies Mirai botnet as primary weapon in attack

By Jeff Feingold

Published: October 27, 2016

Dyn executive Scott Hilton says the company ‘will not speculate’ about the cyberattacker’s motive or identity.

Dyn Inc.’s executive vice president of products says the company has confirmed that the primary malware used in last week’s multiple cyberattacks against the Manchester-based company is known as the Mirai botnet.

In an “analysis summary” of the cyberattacks that was posted on the company’s website, The executive, Scott Hilton, points to Mirai as the “primary source of malicious attack traffic.” Mirai is a malware can turn Linux computer systems – mostly online consumer devices like remote cameras and home routers – into remotely controlled bots that can be used in large-scale network attacks. The malware targets online consumer devices such as remote cameras and home routers.

Hilton, who called the attack “complex and sophisticated,” said the company is collaborating “in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attacker.”

According to Hilton’s analysis, the first Distributed Denial of Service (DDoS) attack against Dyn occurred from 7:10 a.m. to 9:20 a.m., with a second attack occurring between 11:50 a.m. and until 1 p.m. He said that “a number of probing smaller TCP attacks occurred over the next several hours and days; however, our mitigation efforts were able to prevent any further customer impact.”

In the first attack, he said, the company “began to see elevated bandwidth against our Managed DNS platform in the Asia Pacific, South America, Eastern Europe, and US-West regions that presented in a way typically associated with a DDoS attack. As we initiated our incident response protocols, the attack vector abruptly changed, honing in on our points of presence in the US-East region with high-volume floods of TCP and UDP packets, both with destination port 53 from a large number of source IP addresses. The abrupt ramp-up time and multi-vectored nature of the attack, led to our Engineering and Network Operations teams deploying additional mitigation tactics on top of our automated response techniques. These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering and deployment of scrubbing services. Mitigation efforts were fully deployed” by 9:20 a.m.

‘Important conversation’

About two and a half hours later, the second, “more globally diverse” attack began, using the same protocols as the original attack.

“Building upon the defenses deployed during the earlier attack and extending them globally,” the company was able to “substantially recover” by from the second attack by about 1 p.m.

He added that the malicious attacks seem to have been “sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

He said that Dyn “will continue to conduct analysis, given the complexity and severity of this attack,” adding that the firm “very quickly” initiated protective measures during the attack, “and we are extending and scaling those measures aggressively.”

The attack, Hilton wrote, “has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of ‘Internet of Things’ devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet.

This article appears in the November 11 2016 issue of New Hampshire Business Review